by Jeff Yates, ACT Executive Director
Laptops, Windows based portables, and smart phones allow agents and brokers to stay in touch with their customers and offices and to have access to their agency systems from anywhere at any time. These portable devices will continue to get better and better offering larger disk storage, very convenient user interfaces, fully functional Office suites, as well as wireless Internet access, email, and Internet browsing. We expect use of these devices by agency principals and producers in the field to continue to increase dramatically.
While these portable devices offer great convenience, they also present an even higher security risk to agencies than their in-house systems. Portable devices are both lost and stolen frequently. In the last six months in London, 63,135 mobile phones (an average of three phones per taxi), 5,838 PDAs and 4,973 laptops have been left in licensed taxi cabs. In Chicago, taxi drivers recently reported that during a six-month period, 21,460 PDAs and Pocket PCs were accidentally left behind in their cabs.
These portable devices are capable of storing a large amount of data, and if preventative measures are not taken, this data is very easy to access. If the proper access controls are not in place, it is very easy to access the agency’s network from one of these devices. In addition, there is an increasing number of viruses and worms being targeted to mobile devices, and yet the antivirus software for these devices is either very new and little used, or nonexistent.
Agents should consider taking the following steps with regard to laptops and other portable devices:
- Activate the password requirement on the device.
- Provide a logon and password requirement at the agency system firewall level in order to access the agency’s system rather than letting the portable device automatically remember this id and password.
- Treat laptops and portable devices as a special category in the agency security policy recognizing the higher risks presented by these devices. Train employees on these risks.
- The agency should periodically check these devices to make sure that the security safeguards are incorporated and that they are fully compliant with the security policy.
- The customer data maintained on these devices should be restricted to what is absolutely necessary.
- Avoid storing password information in these portable devices.
- If private information is contained in the customer’s Contact file in the agency system, a second Contact file may be created without that private information to synchronize with the portable device.
- Enable automated security patch downloads, for all software, but especially for Microsoft software. If automated downloads are not available for the particular device, then proactively retrieve the updates regularly, such as on a monthly basis.
- Continuously monitor what antivirus software is available for your portable device from your device maker and incorporate what you determine to be best for you
- If your Pocket PCs are connected to a Microsoft Exchange Server 2003 (SP 2), a new feature, “Remote wipe,” is available that enables Exchange administrators to erase sensitive data from a lost or stolen Pocket PC. After the remote wipe has been completed, the administrator will receive acknowledgement that the device has been wiped.
These recommendations for portable devices should fit within the overall security policy that the agency adopts. Think of your security strategy as a series of layers to protect your core data (the “onion principle”). These layers include at least:
- A security policy based upon an assessment of the specific risks your agency faces.
- Written procedures coupled with employee training on the policy and procedures.
- Firewalls that protect the perimeter of your systems from intrusion by unauthorized persons and viruses.
- Diligent management of passwords, so that only authorized persons gain access to your system, and their identity is authenticated. Immediate deactivation of former employees’ access to agency and carrier systems.
- Limits on employee access to only that information they need to see.
- The latest versions of virus software, continuously and automatically updated.
- Auditing employee activity for compliance with the security policy and procedures.
- Systems traffic monitoring for unusual activity that indicates a breach may have occurred.
Managing your security risks upfront—even though it will entail some time and cost—can save you a much greater expenditure of time and money in the long run, should there be a security breach. It is also legally required. The Gramm-Leach-Bliley Act (GLBA) requires independent agencies and brokers, along with insurance carriers and other financial institutions, to proactively implement administrative, technical, and physical safeguards to ensure the security and confidentiality of their customers’ nonpublic personal information. GLBA imposes these general requirements, but leaves it up to the agency or financial institution to decide which specific policies and technologies it will implement to fulfill these obligations.
In addition, identity theft laws have now been passed in most states imposing similar obligations on agencies as well as on other businesses. These laws mandate that agencies make specific disclosures to customers when a security breach occurs that might compromise their private information, and may also require the agency to pay for services for these customers to use to monitor and repair their credit standings.
ACT’s “The Independent Agent’s Guide to Systems Security; What Every Agency Principal Needs to Know” (March, 2005) continues to be a highly relevant resource for agents to use to manage their ongoing security risks. This tool, including its prototype agency security policy, can be found at www.independentagent.com/act, under “Agency Improvement Tools.”
Jeff Yates is Executive Director of the Agents Council for Technology (ACT) which is part of the Independent Insurance Agents & Brokers of America. Jeff Yates can be reached here. ACT’s many reports and business improvement tools can be found at www.independentagent.com/act. This article reflects the views of the author and should not be construed as an official statement by ACT.